The phishing emails were designed to look like they were sent by DocuSign and had subject lines that said “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” or “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.” Word Document attachments in the emails installed malware if opened.

The company began tracking the phishing campaign on its security site on May 9, though it was not until today that it confirmed its email list had been stolen.

In today’s post, DocuSign said its eSignature service, envelopes and customer documents remain secure, but that hackers were able to access customer email addresses through a “non-core” system that the company uses to send service-related announcements. DocuSign added that only email addresses were stolen and other sensitive information, including names, physical addresses, passwords, social security numbers, credit card data and documents sent through the eSignature system, were not accessed.

DocuSign said it has put more security measures in place and contacted law enforcement agencies. It listed several steps customers should take to protect themselves, including forwarding suspicious emails to spam@docusign.com before deleting them from their computers, updating anti-virus software and reading DocuSign’s white paper on phishing.

Editor’s note: An earlier version of this story incorrectly stated that customer emails were stolen. In fact it was customer email addresses which were part of the breach.